Overview

overview

10

Static

static

5

JaffaCakes...39.exe

windows7-x64

10

JaffaCakes...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1a2a92e2e9fff252bf49f78874ce3039.exe

  • Size

    486KB

  • MD5

    1a2a92e2e9fff252bf49f78874ce3039

  • SHA1

    2a033a47376cf677eaacc45ac764dde69e4f5285

  • SHA256

    e50be530edccfe3ef5839bbcda45fea371ed908354577c01c211716ee6957e09

  • SHA512

    7870df5cac0a2447c22eefc2e16619863cefa2aa9bb22d0e4788c0ffe9c76267e9abf70d0d46a6eff6551c3ca3560444aebe2e3a60f13936ee6db816854e7ec9

  • SSDEEP

    12288:lk2dpPMgDtaEOiLTEtFpn0c4lx5YYzA0RL+voS:3HPM2tWATEKvl7cwL

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2a92e2e9fff252bf49f78874ce3039.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2a92e2e9fff252bf49f78874ce3039.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\AppData\Local\Temp\977D.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\977D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\977D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2a92e2e9fff252bf49f78874ce3039.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\99A0.tmp\batchfile.bat
        "C:\Users\Admin\AppData\Local\Temp\99A0.tmp\batchfile.bat"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\SysWOW64\28463\ECDY.exe
          "C:\Windows\system32\28463\ECDY.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1056
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:3132
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\ECDY.exe > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4504 -ip 4504
    1⤵
      PID:1244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\977D.tmp\b2e.exe
      Filesize

      489KB

      MD5

      330e27192fa131c383aec678e168aac0

      SHA1

      20aff2e189d4964d1fb80217180f338777d55fea

      SHA256

      06ece791d6eafb9f258c01b6d46645d56a5c3f0afd786077064af4ff97abf1c3

      SHA512

      058c1c53b34533ea1b1189a05bc6ea2594a70d9bc12b69dcfe9ad270138e98e97a492c5167d603fe073e1538b282db2b6922c66f165abe5ca5bdae4bd3938fd7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\99A0.tmp\batchfile.bat
      Filesize

      480KB

      MD5

      1a5c07bf497e0fccbaabd2de96bc9618

      SHA1

      55f4e5c08e5238ce45709a98133ea438ba05b2f6

      SHA256

      12ee81f8392f41ba88c4fbb32930d1d3aec9d718082a7cf122c0e0c55d78cba1

      SHA512

      d297cdd1fb01bffd4bc005a7dd6f5c785ab0e2f5c42eea435ef9e20e2c90c3430210c91797e46654906f08d3b7c3aa52a87e4a53a14c5904d57f3b9071795faf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\@9A9A.tmp
      Filesize

      4KB

      MD5

      13e10cd76f11d6cb43182dcba7370171

      SHA1

      e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

      SHA256

      f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

      SHA512

      ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
      Filesize

      158B

      MD5

      9ae6369e961e74684be2094fbdbac82f

      SHA1

      342b557bf3c9c3e0b9892ea8866841fc87e0b00c

      SHA256

      d0b827b9d3bbe777d62dda3707d23f88319fbfd675cf1b8cb22f04ee4d3a4b86

      SHA512

      fe80d7a82d008f33543f4e232001c66771bf6202042f2501c9ef79977f577c85af7a7d902d1a6dbf1ed4fb85672c03a898ba05eb595d5b27d121c8de095dbd8e

      Download Submit

    • C:\Windows\SysWOW64\28463\AKV.exe
      Filesize

      395KB

      MD5

      adbec81b510dcfe49835f95940ef961d

      SHA1

      77940f6e46fbd5f53de23bd49afe9172470769d0

      SHA256

      466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

      SHA512

      ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

      Download Submit

    • C:\Windows\SysWOW64\28463\ECDY.001
      Filesize

      434B

      MD5

      1101c9cd56c426f894fe04c1a7a73ed6

      SHA1

      a7df1226d375b7ccaffe5ea5466994d2eb7f6014

      SHA256

      0ae974531d0f4a2e608a2464338d1f8b3f4a550060cc724de7c0766e0e89f346

      SHA512

      2cb801c59ae6be12bcecd8899921b72c1159ee1c544fcdb130bf857f84f3d1bc12f579b37dca752a1c40692d01c546ca854050f576dfcf253ed0bd42e08ba4c1

      Download Submit

    • C:\Windows\SysWOW64\28463\ECDY.006
      Filesize

      8KB

      MD5

      f5eff4f716427529b003207d5c953df5

      SHA1

      79696d6c8d67669ea690d240ef8978672e3d151c

      SHA256

      ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

      SHA512

      5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

      Download Submit

    • C:\Windows\SysWOW64\28463\ECDY.007
      Filesize

      5KB

      MD5

      bc75eddaa64823014fef0fe70bd34ffc

      SHA1

      15cd2ace3b68257faed33c78b794b2333eab7c0a

      SHA256

      9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

      SHA512

      20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

      Download Submit

    • C:\Windows\SysWOW64\28463\ECDY.exe
      Filesize

      473KB

      MD5

      3c90d45b1c004e86a7f7a7a340f1abc8

      SHA1

      10602c450bcbda2735dc036f2e399646f0c64f4c

      SHA256

      f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

      SHA512

      85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

      Download Submit

    • memory/3176-39-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download

    • memory/3176-8-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4424-0-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4424-11-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download